1. Executive Summary
StilachiRAT, a sophisticated Remote Access Trojan (RAT), was brought to light by Microsoft Incident Response in November 2024.1 This newly discovered malware possesses a range of malicious capabilities designed to compromise systems and exfiltrate sensitive information.1 Its impressive arsenal includes system reconnaissance, credential and cryptocurrency theft, command and control (C2) connectivity, mechanisms for maintaining persistence, command execution, remote desktop monitoring, and techniques for evading detection and forensic analysis.1 Notably, StilachiRAT exhibits a specific focus on targeting cryptocurrency wallet extensions within the Google Chrome browser.1 Systems lacking adequate security measures are particularly vulnerable to the havoc that malware like StilachiRAT can wreak.1
The consistent emphasis on cryptocurrency theft across numerous reports suggests a growing trend in malware development that targets digital assets. This focus likely stems from the increasing value and popularity of cryptocurrencies.
2. Introduction to StilachiRAT
Microsoft Incident Response researchers first discovered StilachiRAT in November 2024.1 This malware is classified as a Remote Access Trojan (RAT), a type of malware that enables unauthorized remote access to and control over a compromised computer.1 While current observations suggest that StilachiRAT is not yet widely distributed, its sophisticated techniques for evading detection and maintaining persistence make it a noteworthy threat.1 To date, Microsoft has not attributed this malware to any specific threat actor or nation-state.1
The proactive sharing of details regarding StilachiRAT by Microsoft, despite its limited distribution, underscores the potential danger it poses. The advanced nature of its evasion and persistence mechanisms suggests that it could become a significant cybersecurity concern if it were to spread more widely.
3. Technical Analysis of StilachiRAT Capabilities
3.1. System Reconnaissance
StilachiRAT is equipped with the ability to gather extensive information about a compromised system.1 This includes details about the operating system, hardware identifiers such as BIOS serial numbers, the presence of a camera, active Remote Desktop Protocol (RDP) sessions, and the graphical user interface (GUI) applications that are currently running.1 To achieve this detailed profiling, the malware leverages the Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces through the use of WMI Query Language (WQL).2 Specific examples of WQL queries executed by StilachiRAT include SELECT * FROM win32_bios to retrieve the system's serial number, as well as queries to determine the presence of a camera and gather information about the operating system and computer system.11 Furthermore, the malware generates a unique identification for each infected device by combining its serial number with the attackers' public RSA key. This unique identifier is then stored within the registry under a specific CLSID key.11 This active approach to reconnaissance, where the malware directly interacts with the system to gather information, contrasts with passive methods that rely on observation without direct engagement.34 While active reconnaissance can provide more accurate and faster results, it also carries a higher risk of detection due to the increased system activity it generates.34
The utilization of WMI and WQL for system reconnaissance by StilachiRAT indicates a deliberate and targeted approach. By employing these tools, the malware can efficiently collect specific and detailed information about the compromised environment, which is likely used to tailor subsequent malicious activities to maximize their effectiveness.
3.2. Credential and Cryptocurrency Wallet Theft
A primary objective of StilachiRAT is the theft of sensitive credentials and cryptocurrency assets. The malware is designed to target the configuration data of approximately 20 different cryptocurrency wallet extensions specifically used within the Google Chrome browser.1 To identify these extensions, StilachiRAT accesses the registry key \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings to determine which ones are installed on the system.3 The specific cryptocurrency wallet extensions targeted by StilachiRAT and their corresponding Chrome extension identifiers are detailed in the table below:
In addition to targeting cryptocurrency wallets, StilachiRAT is capable of extracting and decrypting saved credentials from Google Chrome.1 This process involves obtaining the encryption_key from the Local State file located at %LOCALAPPDATA%\Google\Chrome\User Data\Local State. Since this key is encrypted during Chrome's installation, the malware utilizes Windows APIs within the current user's context to decrypt it.1 The actual stored credentials are then retrieved from the SQLite database located at %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data using specific SQL queries.11 Furthermore, StilachiRAT continuously monitors the clipboard content for sensitive information such as passwords and cryptocurrency keys, potentially employing regular expressions to identify relevant data.1 A notable technique used to compromise cryptocurrency transactions is clipboard hijacking, where the malware intercepts copied wallet addresses and replaces them with addresses controlled by the attackers.28
The detailed and specific targeting of cryptocurrency wallet extensions, combined with the sophisticated method used to extract Chrome's encryption key, indicates that the developers of StilachiRAT possess a deep understanding of how these applications store sensitive data. This level of technical insight suggests a significant investment in reverse-engineering these targets.
3.3. Command and Control (C2) Communication
StilachiRAT establishes communication with remote command and control (C2) servers to receive instructions and exfiltrate stolen data.1 This communication channel is established using TCP ports 53, 443, or 16000, with the port being selected randomly.3 The identified C2 server addresses include the domain name app.95560[.]cc and the IP address 194.195.89[.]47.3 This two-way communication allows the attackers to send commands to the infected machine and receive the harvested data.1 Notably, the malware delays its initial connection to the C2 server by two hours after infection, which is likely an attempt to evade detection by time-sensitive analysis tools.11 Additionally, StilachiRAT checks for the presence of tcpview.exe, a network monitoring tool, and terminates its execution if it is found, indicating an awareness of potential analysis environments.11 As an additional evasion technique, one of the C2 addresses is obfuscated, while the other is converted into a binary format.3 In the broader context of cyberattacks, command and control infrastructure is the backbone that enables attackers to maintain resilient and highly available communication with compromised devices, often employing techniques to obscure their malicious activities.35
The strategic use of common ports such as 53 and 443 for C2 communication allows StilachiRAT to blend its malicious network traffic with legitimate DNS and HTTPS traffic, significantly complicating detection efforts. The implementation of a two-hour delay before the initial connection and the check for analysis tools further underscores the malware's intent to evade immediate scrutiny and analysis.
3.4. Persistence Mechanisms
StilachiRAT incorporates mechanisms to ensure that it persists on compromised systems, even after reboots or attempts at removal.1 It can be launched either as a standalone component or as a Windows service.1 Regardless of its form, the malware utilizes a watchdog thread that continuously monitors the system for the presence of the RAT's executable or dynamic link library (DLL) files.1 If these components are not found, the watchdog thread recreates them using an internal copy generated during the malware's initialization phase.1 Furthermore, StilachiRAT can replicate its Windows service component by modifying registry settings and then launching it through Windows' Service Control Manager (SCM).1 In the broader landscape of malware persistence, techniques such as the use of Run Keys, Services, and Scheduled Tasks are commonly employed to maintain a foothold on an infected system.38 Threat actors often abuse the SCM to create and initiate services, even when the executable is not a valid service application, as a means of achieving persistence.13 Monitoring for specific Event IDs, such as 7045 (a new service was installed) and 7040 (the start type of a service was changed), can serve as indicators of such persistence mechanisms.15
The combination of a persistent watchdog thread and the capability to register as a Windows service provides StilachiRAT with a robust, multi-faceted approach to ensuring its survival on an infected system. This redundancy makes it significantly more challenging to completely eradicate the malware, as even if one mechanism is disabled, the other can ensure its continued operation.
3.5. Command Execution and Remote Control
StilachiRAT possesses the capability to execute a variety of commands received from its command and control (C2) server, granting attackers significant remote control over the compromised system.1 These commands include actions such as initiating a system reboot, clearing system logs, manipulating registry entries, executing arbitrary applications, and suspending the system.1 Specific commands are initiated by numerical codes sent from the C2 server, for instance, code 07 triggers the display of dialog boxes, 08 clears event logs, 09 reboots the system, 16 initiates applications, 19 enumerates open windows, 26 suspends the system, and 30 initiates the theft of Chrome credentials.7 The malware also has the capability to manipulate system windows and establish new outbound network connections.1 Furthermore, StilachiRAT's command execution capabilities enable a form of SOCKS-like proxying through the commands it supports.13
The extensive set of commands supported by StilachiRAT provides attackers with significant control over infected systems, enabling them to perform a wide array of malicious activities remotely, ranging from the theft of sensitive data to the disruption of system operations. The SOCKS-like proxying functionality can further facilitate anonymous communication and potentially aid in lateral movement within a compromised network.
3.6. Anti-Forensics and Evasion Techniques
StilachiRAT employs various anti-forensic and evasion techniques to hinder detection and analysis.1 These include the clearing of event logs to remove traces of its activity 1, and the implementation of checks for the presence of analysis tools and sandbox environments, which prevents its full activation in virtualized settings commonly used for malware analysis.1 To further complicate manual analysis, StilachiRAT obfuscates its use of Windows API calls.1 Additionally, a custom algorithm is employed to encode many of the text strings and values used by the malware, which significantly slows down the analysis process.1 The malware also delays its network connections 11 and terminates itself if it detects the presence of certain analysis tools.31
The combination of these sophisticated anti-forensic and evasion techniques indicates a deliberate effort by the developers of StilachiRAT to make it difficult to detect, analyze, and ultimately, eradicate. This multi-layered approach suggests a high level of sophistication and likely attribution to a capable threat actor.
3.7. RDP Monitoring
StilachiRAT includes the capability to monitor active Remote Desktop Protocol (RDP) sessions.1 This monitoring involves capturing information about the foreground window.1 More significantly, StilachiRAT can duplicate security tokens to impersonate users who are logged in via RDP.1 This capability is particularly risky on RDP servers that host administrative sessions, as it could enable attackers to move laterally within the compromised network with the privileges of the impersonated user.1 The malware also enumerates all active RDP sessions on the system.3
The RDP monitoring and security token duplication features of StilachiRAT pose a significant threat, as they allow attackers to potentially gain unauthorized access to other systems within the network by assuming the identity of legitimate users. This capability greatly enhances the potential for lateral movement and further compromise across the network infrastructure.
4. Infection Vectors and Spreading Methods
Currently, the exact delivery mechanism used by StilachiRAT to initially compromise systems has not been definitively identified by Microsoft.1 However, based on the typical infection vectors observed for other Remote Access Trojans, several potential methods are likely applicable to StilachiRAT.1 These include the distribution of trojanized software or malicious software bundles from unofficial download sites 1, the use of malicious websites that might host exploit kits or initiate drive-by downloads 1, and the delivery via email attachments in phishing campaigns.1 Other potential infection methods include exploiting specific software vulnerabilities, brute-force attacks targeting RDP, the use of infected USB drives (USB droppers), and distribution through fake applications or malicious links on social media platforms.2 It is important to note that these methods often rely on a combination of social engineering tactics to trick users into taking actions that lead to the malware's installation and technical exploits that leverage vulnerabilities in software or systems.2 The mention of a ClickFix campaign that delivered credential-stealing malware highlights the ongoing relevance of social engineering as an initial access vector.12
The current lack of a confirmed initial access vector for StilachiRAT suggests that it might be employing multiple methods or that its distribution is in its early stages and still under investigation. The understanding of typical RAT delivery mechanisms provides valuable insight into how this threat might spread in the future.
5. Real-World Attack Scenarios and Potential Impact
While StilachiRAT has been observed in the wild on a few occasions, there is no indication of widespread distribution at this time.1 Nevertheless, its capabilities suggest the potential for significant impact, particularly due to its focus on stealing data from cryptocurrency wallets.1 The ability to steal credentials from web browsers also poses a considerable risk, potentially leading to unauthorized access to a wide range of online accounts and services.1 Furthermore, the RDP monitoring and potential for lateral movement within networks could allow attackers to gain access to sensitive data and systems beyond the initially compromised machine, particularly affecting servers hosting administrative sessions.1 The fact that a significant percentage of successful user logins rely on compromised passwords underscores the potential effectiveness of StilachiRAT's credential theft in facilitating unauthorized access.3
Despite its limited distribution to date, StilachiRAT's focus on high-value targets such as cryptocurrency wallets, coupled with its ability to enable lateral movement across networks, positions it as a significant threat that necessitates proactive defensive measures. The prevalence of compromised passwords in successful logins further highlights the potential impact of its credential theft capabilities.
6. Indicators of Compromise (IOCs)
The following indicators of compromise (IOCs) can be used to detect potential StilachiRAT infections 1:
File Hash (SHA-256): 394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb (for WWStartupCtrl64.dll) 20
C2 IP Address: 194.195.89[.]47 3
C2 Domain Name: app.95560[.]cc 3
Registry Key (Digital Wallet Targeting): \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings 3
Registry Key (Device Identification): Under the CLSID key 11
Mutex: ACM.Ps-Rd32!g1 6
Event IDs to Monitor (Persistence): 7045, 7040, 4697 15
Event IDs to Monitor (Anti-Forensics): 1102, 104 15
File Paths (Credential Theft): %LOCALAPPDATA%\Google\Chrome\User Data\Local State, %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data 11
Network Traffic Patterns: Communication over TCP ports 53, 443, or 16000 3
Presence of File: WWStartupCtrl64.dll 7
Providing this comprehensive list of IOCs is vital for enabling security teams to proactively search for and identify instances of StilachiRAT within their environments. This information allows for the creation of detection rules and signatures for various security tools.
7. Detection and Removal Strategies
To detect and remove StilachiRAT from an infected system, it is recommended to utilize reputable antivirus and endpoint detection and response (EDR) solutions.1 VMware Carbon Black products are reported to be capable of blocking and detecting malicious indicators associated with this threat.6 Ensuring that security software is consistently updated is crucial for maintaining protection against the latest malware variants.1 Security teams should monitor network traffic for suspicious outbound connections to the identified C2 infrastructure and examine systems for signs of persistence, such as newly installed or modified services, as well as anti-forensic behaviors like the clearing of event logs.15 Microsoft has provided specific hunting queries for Microsoft Defender XDR and Microsoft Sentinel that can aid in identifying related activity within networks.18 As a preventative measure, disabling password auto-saving in web browsers can limit the potential for credential theft.15 Implementing application whitelisting, such as with Microsoft AppLocker, can help prevent the execution of unauthorized executables.15 Blocking the identified IOCs at the network level using firewalls and other security controls is also a critical step.15 If a StilachiRAT infection is suspected, it is advisable to perform a thorough malware scan of the affected system and, for cryptocurrency users, to transfer any funds from potentially compromised wallets to secure wallets on trusted devices.28
A comprehensive strategy for detecting and removing StilachiRAT requires a combination of robust and up-to-date security software, proactive monitoring for suspicious activities based on threat intelligence, and the application of specific detection techniques provided by security researchers.
8. Prevention and Mitigation Best Practices
Preventing a StilachiRAT infection requires a layered security approach and user awareness. It is crucial to download software only from official websites or reputable sources to avoid inadvertently installing malware disguised as legitimate applications or updates.1 Utilizing web browsers that incorporate SmartScreen technology, such as Microsoft Edge, can help block malicious websites and downloads.1 For organizations using Microsoft 365, enabling Safe Links and Safe Attachments for Office 365 provides an additional layer of protection against malicious links and email attachments.1 Enabling network protection in Microsoft Defender for Endpoint can prevent access to known malicious domains and content on the internet.1 Further hardening measures within Microsoft Defender for Endpoint include ensuring tamper protection is enabled, running EDR in block mode, and configuring investigation and remediation in full automated mode.20 It is also recommended to turn on potentially unwanted applications (PUA) protection in block mode within Microsoft Defender Antivirus 20 and to enable both cloud-delivered protection and real-time protection in Microsoft Defender Antivirus or a comparable antivirus solution.20 Keeping the operating system and all installed software up to date with the latest security patches is paramount in mitigating vulnerabilities that malware might exploit.1 Enabling Multi-Factor Authentication (MFA) wherever possible adds an extra layer of security to accounts, making them more resistant to compromise even if credentials are stolen.8 Users should exercise caution when clicking on links or downloading files, especially from unverified or suspicious sources 8, and regularly monitor system logs for any unauthorized changes or unusual activity.8 For individuals involved in cryptocurrency, it is advisable to be particularly cautious with clipboard activity and to consider using hardware wallets, which offer a higher level of security for digital assets.8 Educating users about cybersecurity best practices, including how to identify phishing emails and other social engineering tactics, is a critical component of prevention.29 Restricting outbound communication to known legitimate C2 servers and enforcing PowerShell logging can also aid in preventing and detecting malicious activity.40
A comprehensive security posture that incorporates preventative technical measures, robust configurations of security software, ongoing user education, and specific precautions for high-risk activities like cryptocurrency management is essential for effectively mitigating the risk of StilachiRAT infections and minimizing their potential impact.
9. Conclusion
StilachiRAT represents a sophisticated and stealthy Remote Access Trojan with a diverse range of malicious capabilities, particularly focused on the theft of cryptocurrency and credentials. Its techniques for system reconnaissance, data exfiltration, command and control, persistence, evasion, and RDP monitoring pose a significant threat to unsecured systems. While its current distribution appears limited, the advanced nature of its design and functionality warrants serious attention from cybersecurity professionals. Implementing the recommended detection, removal, and prevention strategies is crucial for safeguarding against this emerging threat. Continuous monitoring of the threat landscape and adaptation of security measures will be essential in staying ahead of evolving malware like StilachiRAT.
Works cited
Microsoft Warns of New StilachiRAT Malware - SecurityWeek, accessed April 27, 2025, https://www.securityweek.com/microsoft-warns-of-new-stilachirat-malware/
New 'StilachiRAT' found scurrying in crypto wallets - Field Effect, accessed April 27, 2025, https://fieldeffect.com/blog/stilachirat-scurrying-crypto-wallets
CTI Roundup: StilachiRAT, Reddit Infostealers, and New Password Reuse Data | Tanium, accessed April 27, 2025, https://www.tanium.com/blog/cti-roundup-stilachirat-reddit-infostealers-new-password-reuse-data/
Threat Intelligence - StilachiRAT: A New Remote Access Trojan Posing a Significant Threat, accessed April 27, 2025, https://www.quorumcyber.com/threat-intelligence/stilachirat-a-new-remote-access-trojan-posing-a-significant-threat/
Weekly Summary Cyberattacks March 13-18 | Cyber Solutions By Thales, accessed April 27, 2025, https://cds.thalesgroup.com/pt-pt/node/1592
StilachiRAT malware - Broadcom Inc., accessed April 27, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/stilachirat-malware
Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting ..., accessed April 27, 2025, https://thehackernews.com/2025/03/microsoft-warns-of-stilachirat-stealthy.html
New Trojan Malware StilachiRAT Targets Crypto Browser Wallets, Microsoft Warns, accessed April 27, 2025, https://mooloo.net/new-trojan-malware-stilachirat-targets-crypto-browser-wallets-microsoft-warns/
Cyber Reconnaissance Techniques - Communications of the ACM, accessed April 27, 2025, https://cacm.acm.org/research/cyber-reconnaissance-techniques/
Weekly Summary Cyberattacks March 13-18 | Cyber Solutions By Thales, accessed April 27, 2025, https://cds.thalesgroup.com/en/node/1592
StilachiRAT - DSCI, accessed April 27, 2025, https://www.dsci.in/backend/sites/default/files/content/advisory/2025/Threat-Advisory-March-2025.pdf
Attacker techniques, tools, and infrastructure | Latest Threats | Microsoft Security Blog, accessed April 27, 2025, https://www.microsoft.com/en-us/security/blog/threat-intelligence/attacker-techniques-tools-and-infrastructure/
Novel sophisticated StilachiRAT malware emerges - SC Media, accessed April 27, 2025, https://www.scworld.com/brief/novel-sophisticated-stilachirat-malware-emerges
THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More, accessed April 27, 2025, https://thehackernews.com/2025/03/thn-weekly-recap-github-supply-chain.html
Stilachirat: A Silent Intruder In Your System, Stealing Data And Crypto Assets, accessed April 27, 2025, https://www.ampcuscyber.com/shadowopsintel/stilachirat-a-silent-intruder-in-your-system-stealing-data-and-crypto-assets/
Researchers Discover New 'StilachiRat' Malware - Bitdefender, accessed April 27, 2025, https://www.bitdefender.com/en-au/blog/hotforsecurity/researchers-discover-new-stilachirat-malware
StilachiRAT - Stealthy Malware Targeting Credentials and Crypto Wallets - TZ-CERT, accessed April 27, 2025, https://www.tzcert.go.tz/en/advisory/TZCERT-SA-25-0076-stilachirat-stealthy-malware-targeting-credentials-and-crypto-wallets
Threat intelligence | Microsoft Security Blog, accessed April 27, 2025, https://www.microsoft.com/en-us/security/blog/topic/threat-intelligence/
Microsoft Security Experts News and Insights, accessed April 27, 2025, https://www.microsoft.com/en-us/security/blog/products/microsoft-security-experts/
StilachiRAT analysis: From system reconnaissance to cryptocurrency theft | Microsoft Security Blog, accessed April 27, 2025, https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/
Microsoft identifies new RAT targeting cryptocurrency wallets and more, accessed April 27, 2025, https://therecord.media/stilachirat-new-remote-access-trojan-crypto-wallets
Black Basta Ransomware Gang Unleashes 'BRUTED' to Automate VPN Attacks | SISA Weekly Threat Watch, accessed April 27, 2025, https://www.sisainfosec.com/weekly-threat-watch/black-basta-ransomware-gang-unleashes-bruted-to-automate-vpn-attacks/
Microsoft Warns of New StilachiRAT Malware Targeting Sensitive, accessed April 27, 2025, https://247it.services/microsoft-warns-of-new-stilachirat-malware-targeting-sensitive-data/
Securonix Threat Labs Monthly Intelligence Insights – March 2025, accessed April 27, 2025, https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-march-2025/
MSP cybersecurity news digest, March 24, 2025 - Acronis, accessed April 27, 2025, https://www.acronis.com/en-us/cyber-protection-center/posts/msp-cybersecurity-news-digest-march-24-2025/
Weekly Top 10: 03.24.2025: Semrush Impersonation Scam Hits Google Ads; Detecting and Mitigating Apache Tomcat, VSCode Extensions Found Downloading Early-Stage Ransomware, and More. – Innovate Cybersecurity | Threat Advisory, News, and Events, accessed April 27, 2025, https://innovatecybersecurity.com/security-threat-advisory/weekly-top-10-03-24-2025-semrush-impersonation-scam-hits-google-ads-detecting-and-mitigating-apache-tomcat-vscode-extensions-found-downloading-early-stage-ransomware-and-more/
Protect Against StilachiRAT: Key Security Measures - The National Law Review, accessed April 27, 2025, https://natlawreview.com/article/privacy-tip-436-microsoft-warns-crypto-wallet-scanning-malware-stilachirat
'StilachiRAT' targets crypto wallets - Moxso, accessed April 27, 2025, https://moxso.com/blog/stilachirat-targets-crypto-wallets
Cybersecurity Threat Advisory: New RAT malware, accessed April 27, 2025, https://smartermsp.com/cybersecurity-threat-advisory-new-rat-malware/
Microsoft Incident Response, Author at Microsoft Security Blog, accessed April 27, 2025, https://www.microsoft.com/en-us/security/blog/author/detection-and-response-team-dart/
StilachiRAT: A Sophisticated Cyber Threat - Irish Information Security Forum, accessed April 27, 2025, https://iisf.ie/StilachiRAT
Stealthy StilachiRAT steals data, may enable lateral movement - Help Net Security, accessed April 27, 2025, https://www.helpnetsecurity.com/2025/03/18/stealthy-stilachirat-steals-data-may-enable-lateral-movement/
Consumer Protection Tuesday: How to Protect Yourself from ..., accessed April 27, 2025, https://www.coinbase.com/blog/consumer-protection-tuesday-how-to-protect-yourself-from-malware-threats
Understanding Cyber Reconnaissance Techniques - Blumira, accessed April 27, 2025, https://www.blumira.com/glossary/reconnaissance
NSA and partners Issue Guidance on Fast Flux as a National Security Threat, accessed April 27, 2025, https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4143636/nsa-and-partners-issue-guidance-on-fast-flux-as-a-national-security-threat/
Understanding Command & Control (C2) Infrastructure | Blog - VulnCheck, accessed April 27, 2025, https://vulncheck.com/blog/understanding-command-control-infrastructure
What is C2? Command and Control Infrastructure Explained - Varonis, accessed April 27, 2025, https://www.varonis.com/blog/what-is-c2
Persistence Techniques That Persist - CyberArk, accessed April 27, 2025, https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
Abusing the Service Control Manager to Establish Persistence for Non-Service Applications, accessed April 27, 2025, https://unit42.paloaltonetworks.com/unit42-abusing-service-control-manager-establish-persistence-non-service-applications/
Threat actors misuse Node.js to deliver malware and other malicious payloads - Microsoft, accessed April 27, 2025, https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
What's an IOC? - Indicators of compromise (IOCs) alert you about known malicious objects on your endpoints. - Administrator Guide - Cortex XSIAM, accessed April 27, 2025, https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/What-s-an-IOC
Fortinet finds more malicious IPs linked to widely exploited zero-day | Cybersecurity Dive, accessed April 27, 2025, https://www.cybersecuritydive.com/news/fortinet-cve-indicators-compromise/731616/
No comments:
Post a Comment